Security researchers have identified a strain of malware that has already infected at least one European energy company.
The malware, dubbed SFG, is related to an earlier sample called Furtim, that created a backdoor on targeted industrial control systems. This backdoor might be used to deliver a payload which could be used to “extract data or potentially shut down the energy grid,” security researchers at endpoint security firm SentinelOne Labs warn.
SentinelOne Labs researchers reckon the SFG malware bears all the hallmarks of a nation-state attack - probably of Eastern European origin. The Windows-based malware is designed to to bypass traditional antivirus software and firewalls.
It is also primed to detect when it is being run in a sandbox environment - a technique used to detect advanced malware - or in systems using biometric access control systems. Where such defences are detected the software would re-encrypt itself and stop working until released from the sandbox environment. These various techniques (anti-debug, anti-sandbox, anti-AV) are designed to help the malware to fly under the radar and avoid detection by security analysts.
Udi Shamir, chief security officer at SentinelOne, commented: “The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.
"It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted. Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group.”
Technical details about the SFG malware can be found in a blog post by here. ®